Description
I've just upgraded to bazelmod from 28.3 to 29.0 for protobuf and I'm getting these warnings:
com.google.guava:guava has multiple versions 33.3.1-jre, 32.0.1-jre
org.mockito:mockito-core has multiple versions 5.14.2, 4.3.1
info.picocli:picocli has multiple versions 4.7.6, 4.6.3
These dependencies are somehow being brought in via the protobuf module.
The concerns I have:
- What is mockito-core doing on a production classpath? This is used for testing normally.
- What are these new entries
biz.aQute.bnd- Are you enabling this to be used in an osgi context or have you accidentally added build tooling to the dependency set?
- Why is a CLI library like picocli required for protobufs module?
- Why are all these dependencies so far behind?
- How can I avoid all this? Am I doing something wrong?
Filed as a bug as I cannot really see why all these non-production dependencies or deps that seem unrelated to the task at hand, that are so far behind, would be exposed besides some sort of error during release... almost feels like something test related has leaked into prod by mistake.
I really hope I'm "holding it wrong" and there's a quick fix.
What version of protobuf and what language are you using?
"com.google.protobuf:protobuf-java:4.29.0",
"com.google.protobuf:protobuf-java-util:4.29.0",
bazel_dep(name = "protobuf", version = "29.0")
"io.grpc:grpc-api:1.68.2",
"io.grpc:grpc-context:1.68.2",
"io.grpc:grpc-core:1.68.2",
"io.grpc:grpc-netty:1.68.2",
"io.grpc:grpc-protobuf:1.68.2",
"io.grpc:grpc-services:1.68.2",
"io.grpc:grpc-stub:1.68.2",
"io.grpc:grpc-testing:1.68.2",
Java
What operating system (Linux, Windows, ...) and version?
Linux/Mac OS M1
What runtime / compiler are you using (e.g., python version or gcc version)
bazel 7 Java 21
As a precaution, I've rolled back to 28.3 but I have no idea what the impact will be. There are so many separate bazel modules required to work with protobufs and grpc that it's often hard to tell exactly what each module is providing.
Activity